There's a defect in idmap_rfc2307 when more than two SIDs need to be converted to unix ids. So with an empty gencache (net cache flush) doing a wbinfo -r on a user (i.e. the essence of "id") after a successful SMB login will only show the first two GIDs correctly. After the negative idmap cache timeout another wbinfo -r will add two more GIDs and so on. This will then work fine until the normal idmap cache timeout flushes the successful entries again. So after n/2 tries (n being the number of groups a user is member of) it will work fine for a week.
Created attachment 13208 [details] Patches for 4.5
Created attachment 13209 [details] Patches for 4.6
Pushed to autobuild-v4-{6,5}-test.
(In reply to Karolin Seeger from comment #3) Pushed to both branches. Closing out bug report. Thanks!